The party responsible for the recently discovered security flaw
in the IE 8 browser has yet to be identified, but researchers
believe hackers employed a watering-hole attack to specifically
target US government employees and contractors who browse a website
regularly frequented by staffers in the nuclear sector.

Microsoft confirmed on Friday the existence of a zero-day
code-execution exploit in IE 8 that, if not fixed, could allow
hackers to install malware on a victim’s machine by employing
so-called “drive-by attacks.” Indeed, the flaw was discovered only
after an unknown number of computers became infected with a
backdoor Trojan that was reportedly installed on the machines of
web surfers who used IE 8 to navigate to a specific page on the US
Department of Labor website.

“The Department of Labor site was rigged to redirect users to
another site that infected computers with an iteration of the
infamous ‘Poison Ivy’ Trojan, which was able to avoid detection by
all but two major anti-virus products,” Ben Weitzenkorn wrote
Monday for TechNews Daily.

According to Microsoft, "The vulnerability may corrupt memory
in a way that could allow an attacker to execute arbitrary code in
the context of the current user within Internet Explorer.”

"An attacker could host a specially crafted website that is
designed to exploit this vulnerability through Internet Explorer
and then convince a user to view the website,” the company
said.

Researchers aren’t sure yet who exploited the flaw and are still
assessing any damages incurred by the issue, but they have managed
to identify the single Department of Labor webpage that was
compromised by hackers: the DoL’s Site Exposure Matrices (SEM)
page, described by the agency as “a repository of information on
toxic substances present at Department of Energy (DOE) and
Radiation Exposure Compensation Act (RECA) sites.” The SEM page
contains information about the links between toxic substances and
recognized occupational illnesses, and was designed to be used by
staffers routinely exposed to nuclear elements and other hazardous
materials.

"The target of this attack appears to be employees of the
Dept of Energy that likely work in nuclear weapons research,"
security company Invincea announced on their blog.

Speaking to NextGov, Invincea founder and former Defense
Advanced Research Projects Agency program manager Anup Ghosh said,
"We can infer the target of the attack are [Energy Department]
folks in a watering hole style attack compromising one federal
department to attack another.”

Suspects have yet to be identified, but watering hole attacks
targeting specific groups of victims have been routinely used by
state-sponsored cybercriminals in the past. Security firm
AlienVault added that they believe the attack was carried out by
"DeepPanda," a group of hackers alleged to have previously engaged
in cyber espionage on behalf of the Chinese government.

Separate from the exploit, the Pentagon released on Monday a
92-page report, the 2013 “Military and Security Developments
Involving the People’s Republic of China,” which discusses in
detail the potential cybercrimes that could attack US computers
courtesy of the Far East.

The Labor Department has since taken the SEM page down, but the
damage may indeed have already been done. Although the exploit in
IE was only discovered last week, security firm CrowdStrike said
its research led them to believe the campaign started in March and
infected victims in 37 countries, including primarily machines in
the US. Only computers that used version 8 of Internet Explorer and
Windows XP, Windows Vista and Windows 7 to navigate to the SEM page
were vulnerable, but IE is the most widely used browser in America
with a market share of roughly 42 percent, according to
StatCounter’s April 2013 analysis.